Ratchet websocket SSL - apache

I use Ratchet websocket on my server. It is working well without SSL but i need to make it work with SSL.
I've read this stackoverflow post. Unfortunately the support of my PAAS don't use httpd.conf. They advised me to add the ProxyPass straight in the .htaccess.
Regarding adding the following line in httpd.conf file then here I
would like to inform that we are not using httpd on the server as
server is Debian based and we are using Apache web server. I believe
you can use the same line in htaccess file or it would be better if
you can consult with the developer regarding this.
# ProxyPass for Ratchet with SSL
ProxyPass /wss2/ ws://127.198.132.141:8000/
# Preventing the app from being indexed
Header set X-Robots-Tag "noindex, nofollow"
# Use the front controller as index file. It serves as a fallback solution when
# every other rewrite/redirect fails (e.g. in an aliased environment without
# mod_rewrite). Additionally, this reduces the matching process for the
# start page (path "/") because otherwise Apache will apply the rewriting rules
# to each configured DirectoryIndex file (e.g. index.php, index.html, index.pl).
DirectoryIndex app.php
# By default, Apache does not evaluate symbolic links if you did not enable this
# feature in your server configuration. Uncomment the following line if you
# install assets as symlinks or if you experience problems related to symlinks
# when compiling LESS/Sass/CoffeScript assets.
# Options FollowSymlinks
# Disabling MultiViews prevents unwanted negotiation, e.g. "/app" should not resolve
# to the front controller "/app.php" but be rewritten to "/app.php/app".
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
[...]
Unfortunately Adding ProxyPass /wss2/ ws://127.198.132.141:8000/ is crashing the server as if the .htaccess was incorrect.
Do you have any solutions or hints?
UPDATE :
From what i understand we can't use ProxyPass in .htaccess it should be only used in the server configuration or virtual host configuration.
I tried to explain it to the support but they do not seem to understand.
So apparently it is forbidden to use ProxyPass in .htaccess.
"ProxyPass and ProxyPassReverse are available only in the server
config and virtual host contexts."
Therefore if you can't add this line in the server config, could it be
added in the virtual host contexts?
Their answer :
As I have again reviewed all the settings on the server level which
includes the Apache modules and Firewall rules to make the Ratchet
websockets able to run on the server also the rules which we have
added in Firewall indicates that all the traffic from outside is
allowed on the port 8000 and I believe which should be sufficient to
allow outside connections for websocket.
As of now, it seems like you are trying to make the connection using
the different port (in case of https). As we have reviewed the server
settings and configurations and all seems to be good.
It would be highly appreciated if you can involves the developer in
this process so he can guide you better as he know the code level
things much better.
Right now attempting to connect with wss will throw :
WebSocket connection to 'wss://127.198.132.141/wss2/' failed:
WebSocket opening handshake was canceled
While using http with ws is working well.

In your virtual host add :
ProxyPass /wss2/ ws://yourdomain.xxx:8888/
(try with port 8888)
do not forget to restart apache service
virtual host example:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
<Directory /var/www/html/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/yourdomain.xxx/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.xxx/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName yourdomain.xxx
ProxyPass /wss2/ ws://yourdomain.xxx:8888/
</VirtualHost>
</IfModule>
Here you can find a full working example
https://github.com/ratchetphp/Ratchet/issues/100

Related

Apache 2.4 + PHP-FPM, catching error pages

Here is my vhost file:
<VirtualHost *:80>
ServerName awesome.dev
## Vhost docroot
DocumentRoot "/var/www/awesome"
## Directories, there should at least be a declaration for /var/www/awesome
<Directory "/var/www/awesome">
Options Indexes FollowSymLinks MultiViews
DirectoryIndex index.php
AllowOverride All
Require all granted
</Directory>
## Logging
ErrorLog "/var/log/apache2/w0JhArMoDehc_error.log"
ServerSignature Off
CustomLog "/var/log/apache2/w0JhArMoDehc_access.log" combined
## Server aliases
ServerAlias www.awesome.dev
## SetEnv/SetEnvIf for environment variables
SetEnv APP_ENV dev
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/awesome/$1
</VirtualHost>
I'm trying to catch all requests for non-existing *.php files.
For example, if /var/www/awesome/index.php exists and I go to http://foo.com/index.php I get the correct response, but if /var/www/awesome/foo.php does not exist and I go to http://foo.com/foo.php, I am simply getting a response of File not found..
The .htaccess file isn't being read because Apache hands everything off to PHP-FPM.
I need to catch all 404 requests and show a common error page, as you would normally see on any site.
However, since Apache hands everything off to php-fpm, it doesn't seem to be handling these errors properly.
For anyone reading today, HERE is the correct answer, thanks to Tito1337 for his answer.
ProxyErrorOverride may give you problems or break your application if you set 404's or handle some errors elsewhere in your code, and is more complicated to implement.
Instead, you should pass the request to php-fpm only if the file exists. If the file does not exist, Apache will direct to your defined ErrorDocument. You can add this check around your PHP handler in the Apache config.
Example for CentOS 8:
#
# Redirect to local php-fpm (no mod_php in default configuration)
#
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
<FilesMatch \.(php|phar)$>
# NEW ADDITION - CHECK IF FILE EXISTS FIRST
<If "-f %{REQUEST_FILENAME}">
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</If>
</FilesMatch>
</IfModule>
</IfModule>
I used to have the same problem and finally I fixed it.
Try add this after ProxyPassMatch setting:
ProxyErrorOverride on
BTW, do not forget your
ErrorDocument 404 /path/to/file
setting.
As many problems can occur during apache / php-fpm process, many errors can lead to the response
"File not found" and in logs "AH01071: Got error 'Primary script unknown\n'": (double slashes in paths, permissions,...)
To track them you can:
Put in your apache configuration "LogLevel debug" and check error log.
And/Or revert temporary your configuration to "simple apache only try", in my case it lead me to permissions problems (www 0751 needed to be 0755) error wich was invisible before.
Ps: Take care on a other thread, people says that using ProxyErrorOverride for that is "really a bad idea": Server Fault | Apache 2.4 + PHP-FPM + ProxyPassMatch

show home page through tomcat without changing url

I have tomcat running behind Apache. I also have Spring security to handle authorization and authrntication and Struts 2 as my web layer framewok.
Here is my requirement:
1) I want to have a home page which shows some data which is dynamic(like categories) which has to be fetched from database and rendered dynamically.
2) I want to display above page when I hit "mysite.com" in address bar without changing the URL ie. browser address bar must show "mysite.com only.
I could have easily kept this home page as index.html on my virtual host's documentroot location. However I cannot do this as some content is generated dynamically.
Another option is to keep this on tomcat and ask apache to forward the request to tomcat. however this changes the URL on my address bar.
How can I handle this? Can ForwardDirectories option in JK_MOD be used?
To serve dynamic content from Tomcat to a specific domain do the following:
Create a virtual host on your apache web server that handles "mysite.com".
Map the whole content of your virtual host to Tomcat through mod_jk:
JkMount / tomcatsJVMRouteName
JkMount /* tomcatsJVMRouteName
Create another host in your Tomcats server.xml that handles "mysite.com".
Deploy your application as default application (webapps/ROOT-directory).
Now Lets say I have a webapp "mysite" running on tomcat which is behind apache. This mysite webapp has a domain name "mysite.com".
When I hit "mysite.com" it must return a home page with dynamic content. So I add this as index.jsp in webapps/mysite/ directory.
Follwing is the virtual host I wrote for mysite app:
<VirtualHost *:86>
ServerAdmin webmaster#dummy-host.example.com
DocumentRoot "D:/var/www/html/mysite"
ServerName mysite.com
ServerAlias www.mysite.com
ErrorLog "logs/mysite-error.log"
CustomLog "logs/mysite-access.log" common
<Directory "D:/var/www/html/mysite">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI
#MultiViews
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options -Indexes +FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all denied
Require local granted
</Directory>
JkMount /mysite/* localtomcat
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /mysite/ !
ProxyPass / http://localhost:8080/mysite/
ProxyPassReverse / http://localhost:8080/mysite/
</VirtualHost>
So, Here are my questions on above implementation :
1)What I have done is mixing the JKMount of mod_jk and proxypass of mod_proxy.Even though
this works how standard it is
2)Does it have any serious side effects?
3)What could be alternative solution?

Inconsistency when switching between development to live server?

I always have trouble when moving a site that I've developed in localhost into my hosting server with the .htaccess file. Specifically with relative paths to the files. It's not hard to fix, but it's quite bothering.
For example:
Whereas ErrorDocument 404 /foo/404.php works in the
hosting, for it to work in localhost I have to specify ErrorDocument
404 /projectroot/foo/404.php.
When using mod_rewrite, RewriteRule ^example/$ example.php [L,NC]
works in localhost, but for it to work in the hosting I must use
RewriteRule ^example/$ /example.php [L,NC] (note the slash before the file name).
It could be because I'm running localhost on Windows and my hosting is on Linux, but I don't think that's the problem.
So my question is, how can I ensure the paths to the files are correct when working locally or on the remote server? What is the "working directory" for the .htaccess file?
This may look slight more complicated then it seems, but I would work out your issue in the following way.
Create a dev domain on the C:\Windows\System32\drivers\etc\hosts file pointing to the IP 127.0.0.1 which is the localhost IP.
The domain name doesn't really matter just something easy for you to use for that given project for example test.dev so the hosts file would look like this:
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1 localhost
127.0.0.1 test.dev
127.0.0.1 www.test.dev
Now define where the folder for that project will be, I will use c:\projects\test for this example.
Now create on your web server a new virtualhost for the domain you have just created, here is a sample of virtualhost that I use:
<VirtualHost *:80>
ServerAdmin root#localhost
DocumentRoot "C:/projects/test"
ServerName test.dev
ServerAlias www.test.dev
ErrorLog "C:/projects/logs/test.dev_error_log"
CustomLog "C:/projects/logs/test.dev_access_log" common
RewriteLog "C:/projects/logs/test.dev_rewrite_log"
RewriteLogLevel 9
ScriptAlias /cgi-bin/ "C:/projects/test/cgi-bin/"
<Directory "C:/projects/test">
Options -Indexes FollowSymLinks +ExecCGI
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<Directory "C:/projects/test/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Restart your server to activate the changes, you do not need to restart the computer for the hosts file, it should work immediately once you save it.
Now you can use http://www.test.dev or http://test.dev and you can use the very same .htaccess on both, dev and live sites.
Some other tips:
Always use and define RewriteBase / as it can make a difference specially when you want to use rules without the / at the start, like you have mentioned for RewriteRule ^example/$ example.php [L,NC]
Depending on the rules you want to use, you may need to specify -MultiViews so I often just leave it on by default, like this:
Options +FollowSymLinks -MultiViews
As you can see on my virtualhost setup, I define the access, error and rewrite logs into the logs folder by default and with the domain name in question so when I need to see what is going on I have an easy access with the clear logs for that domain only and not my whole bunch of projects running on the same virualhost.
I guess that is about it, you don't really need that huge virtualhost that's just how I use it and its not like I need to copy and paste it all the time as I have my own simple script to create new domains and do all the work for me.

Apache directory listing

I am unable to stop apache from creating directory listings when using the server IP address. I have tried editing the relevant site-available files as follows;
<VirtualHost *:80>
JkMount /* default
ServerName example.co.uk
ServerAlias www.example.co.uk
ServerAdmin me#example.co.uk
DocumentRoot /var/www/example.co.uk/public_html
ErrorLog /var/www/example.co.uk/logs/error.log
CustomLog /var/www/example.co.uk/logs/access.log combined
<Directory /var/www/example.co.uk/public_html>
Options -Indexes
</Directory>
</VirtualHost>
...but the public_html folder contents are being listed if I access the server using a url of this format;
http://192.168.1.99/example.co.uk/public_html
I have also tried to amend the apache config file at /etc/apache2/apache.conf to include the following;
<Directory />
Options -Indexes
</Directory>
..but no joy.
I am using Tomcat, and I need my WEB-INF folder to deny access. It doesn't, and so any .class files can be downloaded.
Does anyone know how I can fix this?
thanks
This sounds a little weird. Do you have an Apache HTTPD in front of an Apache Tomcat Server?
In this case the Apache HTTPD must not point to a directory where the Apache Tomcat files reside! The communication between both can be seen more as a proxy rather than a plugin.
We have some good experience using mod_proxy_ajp for this purpose. But if you are able to download .class files and (panic mode on) the web.xml (panic mode off) something is terribly wrong.
This means that it will not reach your VirtualHost settings, but default virtual host settings.
You have 2 options (at least):
1, put .htaccess file to your directory for which you want to restrict listing
2, Setup you IP based virtual host with similar settings as your name-based vhosts
You said that you put
<Directory />
Options -Indexes
</Directory>
You should have Location instead of Directory there
What if you add /* to the end?
<Directory /var/www/example.co.uk/public_html/*>
Options -Indexes
</Directory>
Update:
Or try to add the entry outside the VirtualHost directive.

Apache configuration for installing Redmine in URL subdirectory

I have a problem about configuring apache for my installed Redmine.
I've installed Redmine (v 1.2.1) in /usr/local/lib/ directory successfully and it works. I want to configure apache so that Redmine would be accessible through http://myhost/redmine while I've installed a wordpress-based website in /var/www binded to http://myhost/. What should I do?
Here my current apache configuration (/etc/apache2/sites-enabled/001-redmine):
<VirtualHost *:80>
ServerName myhost
DocumentRoot /usr/local/lib/redmine-1.2.1/public
ServerSignature off
<Directory />
Order Deny,Allow
Deny from all
</Directory>
<Directory /usr/local/lib/redmine-1.2.1/public>
AllowOverride None
Order allow,deny
Allow from all
Options Indexes ExecCGI FollowSymLinks
Options -MultiViews
</Directory>
ErrorLog /var/log/apache2/redmine-error.log
CustomLog /var/log/apache2/redmine-access.log combined
</VirtualHost>
Thanks.
You can also follow the FAQ from the Redmine site: http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_in_a_sub-URI
I used Phusion Passenger for the Ruby plugin. I then symlinked the public folder to /var/www/redmine.
My Apache config has:
RailsBaseURI /redmine
<Directory /var/www/redmine>
Options -MultiViews
</Directory>
I had the same problem a while ago and kept some notes. According to what I figured out then, hiding the Redmine Mongrel behind the myhost/redmine dir is not entirely possible. True, Apache can act as a gateway by setting it up the following way:
ProxyPass /redmine/ http://myhost:4000/
ProxyPassReverse /redmine http://myhost:4000
ProxyPreserveHost on
But this would only work if the HTML returned by Redmine contained relative paths and not a single absolute path. Suppose a Redmine page /dir1/whatever.html references a CSS file /resources/styles.css. The client sees the HTML page as /redmine/dir1/whatever.html. If the CSS reference is relative, the client requests /redmine/css/styles.css, and Apache will forward it to the proxy as /css/styles.css. If the reference is absolute, though, the client asks for /css/styles.css, and Apache will not actas a proxy for that one. End of story.
NB: There is a third party module mod_proxy_html which parses the HTML and rewrites the references. But it will not be present on most servers.
The solution, it seemed, was to 301-redirect any requests within the /redmine dir explicitly to the Mongrel at http://myhost:4000 (should be possible with mod_rewrite).